How to enable NAT loopback on R7000 v3.0-r47381

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Goto page 1, 2  Next
Author Message
gavsiu
DD-WRT Novice


Joined: 19 Jan 2014
Posts: 24

PostPosted: Sun Sep 19, 2021 17:43    Post subject: How to enable NAT loopback on R7000 v3.0-r47381 Reply with quote
Router Model: Netgear R7000
Firmware Version: DD-WRT v3.0-r47381 std (09/08/21)
Kernel Version: Linux 4.4.283 #4024 SMP Tue Sep 7 09:20:59 +07 2021 armv7l

ISP modem/router in bridge mode. R7000 as gateway.

I'm trying to self host Nextcloud and have it working using port forward and can access it externally using the external IP and internally using the internal IP. I'm trying to use only the external IP even when connected to LAN, but it doesn't work.

I did some searching and found out about NAT loopback.

Filter WAN NAT Redirection is unchecked.

Code:
insmod ipt_mark
insmod xt_mark
iptables -t mangle -A PREROUTING -i ! `get_wanface` -d `nvram get wan_ipaddr` -j MARK --set-mark 0xd001
iptables -t nat -A POSTROUTING -m mark --mark 0xd001 -j MASQUERADE


https://svn.dd-wrt.com/ticket/1868
https://www.alexlaird.com/2013/04/dd-wrt-nat-loopback-issue/

The above code did nothing.

Code:
address=/isearch.babylon.com/173.194.66.102


https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1232336#1232336
https://wiki.dd-wrt.com/wiki/index.php/Additional_DNSMasq_Options

The above seemed to work for a brief minute, but Nextcloud had an error. The external URL stopped working, so I couldn't figure out if it was a problem with the SSL certificate or whatever.

Code:
host-record=yourhost.no-ip.com,192.168.1.8


https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1232238#1232238

The above actually killed all connections to my router. My laptop, phone, IP cameras would not connect. I had to hard reset and restore all settings.
Sponsor
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6410
Location: UK, London, just across the river..

PostPosted: Sun Sep 19, 2021 19:19    Post subject: Reply with quote
did you tick that box at the GUI>security>nat loopback

as well when trying stuff on your router try all those via CLI (ssh/telnet) in that way if not working as it should, you just reboot...

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
gavsiu
DD-WRT Novice


Joined: 19 Jan 2014
Posts: 24

PostPosted: Sun Sep 19, 2021 19:36    Post subject: Reply with quote


I've read a mention of that setting somewhere, but never found it.

Didn't realize I could set Dnsmasq settings temporarily through SSH. I'll look into how to do it next time.
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 14125
Location: Texas, USA

PostPosted: Sun Sep 19, 2021 21:02    Post subject: Reply with quote
It's "Filter WAN NAT redirection".
_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)

----------------------
Linux User #377467 counter.li.org / linuxcounter.net


Last edited by kernel-panic69 on Sun Sep 19, 2021 21:06; edited 1 time in total
gavsiu
DD-WRT Novice


Joined: 19 Jan 2014
Posts: 24

PostPosted: Sun Sep 19, 2021 21:05    Post subject: Reply with quote
Other threads have mentioned to have it off or it will block NAT redirection. As shown in the screenshot, it is already off.
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 14125
Location: Texas, USA

PostPosted: Sun Sep 19, 2021 21:10    Post subject: Reply with quote
You shouldn't have to do anything, you seem to be quoting old articles and information. It should work with that unchecked. If not, some kind of debug information is needed.

https://svn.dd-wrt.com/ticket/6153

_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
gavsiu
DD-WRT Novice


Joined: 19 Jan 2014
Posts: 24

PostPosted: Sun Sep 19, 2021 22:16    Post subject: Reply with quote
Code:
root@Router-Gateway:~# iptables -v -L -n -t mangle --line-numbers
Chain PREROUTING (policy ACCEPT 74562 packets, 11M bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 43121 packets, 6042K bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1    43122 6042K RRDIPT_INPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy ACCEPT 23920 packets, 3352K bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1    23920 3351K RRDIPT_FORWARD  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
2     7834  468K TCPMSS     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x06/0x02 TCPMSS clamp to PMTU

Chain OUTPUT (policy ACCEPT 37636 packets, 8986K bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1    37636 8986K RRDIPT_OUTPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain POSTROUTING (policy ACCEPT 60811 packets, 12M bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain RRDIPT_FORWARD (1 references)
num   pkts bytes target     prot opt in     out     source               destination         
1       20  1520 RETURN     all  --  *      *       192.168.1.100        0.0.0.0/0           
2       20  1520 RETURN     all  --  *      *       0.0.0.0/0            192.168.1.100       
3       27  2052 RETURN     all  --  *      *       192.168.1.101        0.0.0.0/0           
4       26  1976 RETURN     all  --  *      *       0.0.0.0/0            192.168.1.101       
5      199 11538 RETURN     all  --  *      *       192.168.1.102        0.0.0.0/0           
6      122  6589 RETURN     all  --  *      *       0.0.0.0/0            192.168.1.102       
7     4181  255K RETURN     all  --  *      *       192.168.1.120        0.0.0.0/0           
8     2333  179K RETURN     all  --  *      *       0.0.0.0/0            192.168.1.120       
9     1907  249K RETURN     all  --  *      *       192.168.1.122        0.0.0.0/0           
10    1519  454K RETURN     all  --  *      *       0.0.0.0/0            192.168.1.122       
11     226 31427 RETURN     all  --  *      *       192.168.1.123        0.0.0.0/0           
12     145 24890 RETURN     all  --  *      *       0.0.0.0/0            192.168.1.123       
13     580  196K RETURN     all  --  *      *       192.168.1.141        0.0.0.0/0           
14     502  170K RETURN     all  --  *      *       0.0.0.0/0            192.168.1.141       
15      24  1309 RETURN     all  --  *      *       192.168.1.142        0.0.0.0/0           
16      14   830 RETURN     all  --  *      *       0.0.0.0/0            192.168.1.142       
17    5018  623K RETURN     all  --  *      *       192.168.1.126        0.0.0.0/0           
18    3497  532K RETURN     all  --  *      *       0.0.0.0/0            192.168.1.126       
19     820  102K RETURN     all  --  *      *       192.168.1.127        0.0.0.0/0           
20     633 37052 RETURN     all  --  *      *       0.0.0.0/0            192.168.1.127       
21     610  195K RETURN     all  --  *      *       192.168.1.143        0.0.0.0/0           
22     537  191K RETURN     all  --  *      *       0.0.0.0/0            192.168.1.143       
23       0     0 RETURN     all  --  *      *       192.168.1.231        0.0.0.0/0           
24       0     0 RETURN     all  --  *      *       0.0.0.0/0            192.168.1.231       
25     611 52356 RETURN     all  --  *      *       192.168.1.161        0.0.0.0/0           
26      90  6840 RETURN     all  --  *      *       0.0.0.0/0            192.168.1.161       
27      48  6618 RETURN     all  --  *      *       192.168.1.129        0.0.0.0/0           
28      41  6230 RETURN     all  --  *      *       0.0.0.0/0            192.168.1.129       
29      38  2632 RETURN     all  --  *      *       192.168.1.162        0.0.0.0/0           
30       0     0 RETURN     all  --  *      *       0.0.0.0/0            192.168.1.162       
31       0     0 RETURN     all  --  *      *       EXTERNAL.IP           0.0.0.0/0           
32       0     0 RETURN     all  --  *      *       0.0.0.0/0            EXTERNAL.IP         
33      31  2212 RETURN     all  --  *      *       192.168.1.163        0.0.0.0/0           
34       0     0 RETURN     all  --  *      *       0.0.0.0/0            192.168.1.163       
35       0     0 RETURN     all  --  *      *       192.168.1.164        0.0.0.0/0           
36       0     0 RETURN     all  --  *      *       0.0.0.0/0            192.168.1.164       

Chain RRDIPT_INPUT (1 references)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 RETURN     all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           
2     5828  959K RETURN     all  --  vlan2  *       0.0.0.0/0            0.0.0.0/0           

Chain RRDIPT_OUTPUT (1 references)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 RETURN     all  --  *      eth0    0.0.0.0/0            0.0.0.0/0           
2     4164  301K RETURN     all  --  *      vlan2   0.0.0.0/0            0.0.0.0/0


Code:
root@Router-Gateway:~# iptables -v -L -n -t nat --line-numbers
Chain PREROUTING (policy ACCEPT 17260 packets, 3689K bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1     7873  538K DNAT       udp  --  br0    *       0.0.0.0/0            0.0.0.0/0            udp dpt:53 to:192.168.1.1
2        1    40 DNAT       tcp  --  br0    *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53 to:192.168.1.1
3        4   282 DNAT       icmp --  *      *       0.0.0.0/0            EXTERNAL.IP           to:192.168.1.1
4       16   744 DNAT       tcp  --  *      *       0.0.0.0/0            EXTERNAL.IP           tcp dpt:80 to:192.168.1.102:80
5       30  1480 DNAT       tcp  --  *      *       0.0.0.0/0            EXTERNAL.IP           tcp dpt:443 to:192.168.1.102:443
6     1488  106K TRIGGER    all  --  *      *       0.0.0.0/0            EXTERNAL.IP          TRIGGER type:dnat match:0 relate:0

Chain INPUT (policy ACCEPT 10589 packets, 950K bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 4187 packets, 307K bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 43 packets, 2159 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1     4905 1085K SNAT       all  --  *      vlan2   192.168.1.0/24       0.0.0.0/0            to:EXTERNAL.IP
2     4161  300K SNAT       all  --  *      vlan2   0.0.0.0/0            0.0.0.0/0            to:EXTERNAL.IP
3        0     0 RETURN     all  --  *      wl1.1   0.0.0.0/0            0.0.0.0/0            PKTTYPE = broadcast
4        0     0 MASQUERADE  all  --  *      wl1.1   0.0.0.0/0            0.0.0.0/0           
5        0     0 RETURN     all  --  *      br0     0.0.0.0/0            0.0.0.0/0            PKTTYPE = broadcast
6       29  6564 MASQUERADE  all  --  *      br0     192.168.1.0/24       192.168.1.0/24


Code:
root@Router-Gateway:~# iptables -t mangle -A PREROUTING -i ! vlan2 -d $(nvram get wan_ipaddr) -j MARK --set-mark 0x80000000/0x80000000
Bad argument `vlan2'
Try `iptables -h' or 'iptables --help' for more information.
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 9157

PostPosted: Sun Sep 19, 2021 22:58    Post subject: Reply with quote
gavsiu wrote:
Code:
root@Router-Gateway:~# iptables -t mangle -A PREROUTING -i ! vlan2 -d $(nvram get wan_ipaddr) -j MARK --set-mark 0x80000000/0x80000000
Bad argument `vlan2'
Try `iptables -h' or 'iptables --help' for more information.


FYI. iptables no longer accepts placing the negation (!) after the option and before the argument. It must now be before the option.

Code:
root@Router-Gateway:~# iptables -t mangle -A PREROUTING ! -i vlan2 -d $(nvram get wan_ipaddr) -j MARK --set-mark 0x80000000/0x80000000


Note, I'm NOT commenting on the efficacy of the rule. Just pointing out the syntax error.

_________________
ddwrt-ovpn-split-basic.sh (UPDATED!) * ddwrt-ovpn-split-advanced.sh (UPDATED!) * ddwrt-ovpn-client-killswitch.sh * ddwrt-ovpn-client-watchdog.sh * ddwrt-ovpn-remote-access.sh * ddwrt-ovpn-client-backup.sh * ddwrt-mount-usb-drives.sh * ddwrt-blacklist-domains.sh * ddwrt-wol-port-forward.sh * ddwrt-dns-monitor.sh (NEW!)
gavsiu
DD-WRT Novice


Joined: 19 Jan 2014
Posts: 24

PostPosted: Mon Sep 20, 2021 3:38    Post subject: Reply with quote
Code:
iptables -t mangle -A PREROUTING ! -i vlan2 -d $(nvram get wan_ipaddr) -j MARK --set-mark 0x80000000/0x80000000
iptables -t mangle -A PREROUTING -j CONNMARK --save-mark


Results in...

Code:
root@Router-Gateway:~# iptables -v -L -n -t mangle --line-numbers
Chain PREROUTING (policy ACCEPT 9256 packets, 1974K bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        7   885 MARK       all  --  !vlan2 *       0.0.0.0/0            EXTERNAL.IP           MARK or 0x80000000
2     9310 1996K CONNMARK   all  --  *      *       0.0.0.0/0            0.0.0.0/0            CONNMARK save
...


Which matches https://svn.dd-wrt.com/ticket/6153, but not the second half...

Code:
root@Router-Gateway:~# iptables -v -L -n -t nat --line-numbers
Chain PREROUTING (policy ACCEPT 2037 packets, 807K bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1     1008 68922 DNAT       udp  --  br0    *       0.0.0.0/0            0.0.0.0/0            udp dpt:53 to:192.168.1.1
2        2   100 DNAT       tcp  --  br0    *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53 to:192.168.1.1
3        0     0 DNAT       icmp --  *      *       0.0.0.0/0            EXTERNAL.IP           to:192.168.1.1
4        3   180 DNAT       tcp  --  *      *       0.0.0.0/0            EXTERNAL.IP           tcp dpt:80 to:192.168.1.102:80
5        1    60 DNAT       tcp  --  *      *       0.0.0.0/0            EXTERNAL.IP           tcp dpt:443 to:192.168.1.102:443
6      385 41132 TRIGGER    all  --  *      *       0.0.0.0/0            EXTERNAL.IP          TRIGGER type:dnat match:0 relate:0


Doesn't redirect. Anyone else with the same build can confirm it working?
gavsiu
DD-WRT Novice


Joined: 19 Jan 2014
Posts: 24

PostPosted: Mon Sep 20, 2021 5:11    Post subject: Reply with quote
Decided to update to new build with hard reset to see if there was any difference. Nope.

Firmware Version: DD-WRT v3.0-r47461 std (09/17/21)
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6856
Location: Romerike, Norway

PostPosted: Mon Sep 20, 2021 6:26    Post subject: Reply with quote
Using NAT Loopback is a bad idea.
Define a host in dns for the resource.

Let the public dns server hand out the public IP and the local dns server hand out the local IP. Dnsmasq on the router can be your local dns server.

That way, when a client is located on the lan, it will resolve the local IP, otherwise it will resolve the public IP.
gavsiu
DD-WRT Novice


Joined: 19 Jan 2014
Posts: 24

PostPosted: Mon Sep 20, 2021 6:32    Post subject: Reply with quote
I've already tried using Dnsmasq as described in my first post.

This is how it's currently set up. I just added the address or host-record under everything else.

The issues occurred as described.


Last edited by gavsiu on Mon Sep 20, 2021 7:30; edited 1 time in total
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6856
Location: Romerike, Norway

PostPosted: Mon Sep 20, 2021 7:05    Post subject: Reply with quote
Sorry, cannot see your image. The server is not responding.

Post your additional dnsmasq option.

Here is the dnsmasq manual.
https://thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html


address=/isearch.babylon.com/192.168.1.8
gavsiu
DD-WRT Novice


Joined: 19 Jan 2014
Posts: 24

PostPosted: Mon Sep 20, 2021 7:30    Post subject: Reply with quote
Edited my post to use attachment instead.
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6856
Location: Romerike, Norway

PostPosted: Mon Sep 20, 2021 7:41    Post subject: Reply with quote
Add the address=


That domain shall now resolve to the internal address.
Goto page 1, 2  Next Display posts from previous:    Page 1 of 2
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum